Setting Up Linux for PPP

Unlimited Access

Practice Exams

CISSP

CCNP

MORE...

SECURITY

Setting Up Linux for PPP

Email this Article

Print this Article

• Relates to: Linux+ | LPIC1- Linux Junior Level | LPIC2- Linux Intermediate Level | Linux Level I

In days of old (or so it seems), before cable modems and ADSL, people connected to the Internet over modems. The most popular way to do that was to use a protocol called "PPP", or the Point to Point Protocol. PPP encapsulates your packets over a serial line (i.e. a telephone line) so that they can travel from you to your ISP over the telephone company's voice network.

Setting up Linux for PPP is surprisingly easy. The main component is "pppd", the PPP daemon. Generally, any program that ends in 'd' is a daemon, a program that runs silently in the background performing a task. Other examples are xinetd, sshd, in.telnetd, ftpd, and httpd. pppd can also call external programs to help you set up the connection, such as to dial the modem. Some ISPs require you to log in through a text interface, some use ppp's natural authentication mechanisms. "chat" is the component that takes you from modem dial to the PPP protocol.

Configuration for pppd generally lives in /etc/ppp. You'll see a few files in there already, but don't worry about them. The first thing to do is create our chat script, which will take care of dialing my ISP. Chat scripts, in their simplest form, are a series of "When I get this, do that" commands. So, I created /etc/ppp/chat-test as follows:

ABORT "NO CARRIER"
ABORT "NO DIALTONE"
ABORT "ERROR"
ABORT "NO ANSWER"
ABORT "BUSY"
"" "at"
OK "at&d0&c1"
OK "atdt5551111"
CONNECT ""

The first five lines are things to look for that will cause the script to abort, rather than complete successfully. Since "ABORT" is on the left, it just tells chat that if this ever comes up, to abort. If the line is busy, I don't want PPP to try to authenticate to nothing, do I? After that, it's your basic modem commands. I wait for nothing, and send "at". From that, I should get "OK", at which point I send my initialization string. "OK" follows, I dial the modem, and I'm done when I see "CONNECT". This implies that I'm going to rely on PPP's authentication method, which is PAP or CHAP.

PAP and CHAP are authentication protocols (the AP part), and are either plain passwords, or challenge-handshake (take a guess which is which). PAP passwords pass in cleartext, CHAP in encrypted format. Normally this is something to be concerned about, but since the password travels over the phone line, I'm not too concerned about which I choose. Setting them up is the same.

/etc/ppp/pap-secrets and /etc/ppp/chap-secrets hold the authentication tokens (ie username/passwords). Since pppd can be both a client and a server, and you can connect to multiple servers, all the secrets (passwords) are stored in the same place. The format for dialin users is simply:

username * password *

If you knew the name of the remote server, you could put it in place of the first star, but in most cases, this is all you'll ever have.

So far, we've got a chat script to connect us to the ISP, and our username/password is taken care of. All that remains is the configuration of pppd itself.

There are several ways you can invoke pppd. We're going to set up a peer, and direct pppd to call the peer. We could also set up a global configuration, or even one specific to the modem. The peer way lets us keep our ISP's configuration separate from anything else, such as other ISPs or your PPPoE connection on ADSL.

/etc/ppp/peers is a directory containing your peer configurations. The configuration files for pppd are a series of keywords followed by an option. Order doesn't matter at all. I created a file called "test", to refer to my "test" ISP:

ttyS2 38400 crtscts
connect '/usr/sbin/chat -v -f /etc/ppp/chat-test'
noauth
user sean
defaultroute

The first line tells pppd what my modem is, and what options to use. Here, I have ttyS2 (AKA COM3), a locked port speed of 38400, and hardware flow control (crtscts). The second line tells pppd to use chat to do the connection, and I'm passing the name of the script. -v is "verbose", a good idea to have set the first few times you connect. noauth isn't what you think it might be, it says that you aren't requiring that the remote end authenticate itself to you. However, the remote end will almost certainly want you to authenticate itself to it, something that we already covered in pap-secrets.

"user sean" simply says that pppd is to present the credentials for sean (from either pap-secrets or chap-secrets), and nothing else. defaultroute means that pppd will install a default route to the other end. Since it's likely that we'll be using this line to connect to the Internet, a default route is a good thing. If you were connecting to a remote LAN, you would likely just set up a static route.

Once pppd has successfully brought up a connection, it runs the /etc/ppp/ip-up script. If you wanted to set some routes, firewall rules, or anything else, here is where you'd do it.

Finally, to make the call, log in as root, and run:

pppd call test

You can watch /var/log/messages for the status. If all goes well:

# ifconfig ppp0
ppp0 Link encap:Point-to-Point Protocol
inet addr:10.0.9.3 P-t-P:10.0.0.2 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:4 errors:1 dropped:0 overruns:0 frame:0
TX packets:5 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:3
RX bytes:40 (40.0 b) TX bytes:58 (58.0 b)

And to disconnect:

# killall ppppd

Two problems usually surface. The first is that your chat script doesn't do its job. Checking /var/log/messages should show that. For most ISPs, you want to get all the way to the CONNECT message before pppd takes over. The second is, of course, passwords. Once again, messages will show a line like:

localhost pppd[18700]: Remote message: Authentication failure
localhost pppd[18700]: PAP authentication failed

That, my friends, is setting up a PPP connection! Pretty easy, eh?

For those looking to test this out in a lab environment, this link might be helpful for simulating the ISP.

Long live the Penguin!

Subscribe to our Free Must Know News Newsletter
Name: Email: